As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
[Espionage] US Government Hacked: 4 million federal employees' data breached
joshofalltrades
Class TraitorSmoke-filled roomRegistered User regular
Class TraitorSmoke-filled roomRegistered User regular
This seems like kind of a huge deal.
Now I'm no expert on electronic security or espionage, but this seems bad. If it was the Chinese government perpetrating the hack, that would be even worse.
How did we get so thoroughly outfoxed here?
This situation is ongoing, but I looked for an espionage/counterespionage thread and couldn't find one. This seems as good an excuse as any to make one.
If you're one of the 4 million people at risk of having your data stolen, please take precautions. This whole thing just really sucks.
WASHINGTON — A giant hack of millions of government personnel files is being treated as the work of foreign spies who could use the information to fake their way into more-secure computers and plunder U.S. secrets.
Federal employees were told in a video Friday to change all their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them. That message came from Dan Payne, a senior counterintelligence official for the Director of National Intelligence.
“Some of you may think that you are not of interest because you don’t have access to classified information,” he said. “You are mistaken.”
Federal officials said Friday the cyberattack appeared to have originated in China, but they didn’t point fingers directly at the Chinese government. The Chinese said any such accusation would be “irresponsible and unscientific.”
“We know that the attack occurred from somewhere in China, but we don’t know whether it was an individual or a group or a nation-state attack,” said Rep. Jim Langevin, a Rhode Island Democrat and leading voice in Congress on cybersecurity. He added, though that it had “all the hallmarks of a nation-state attack.”
White House spokesman Josh Earnest said he couldn’t divulge much while the case was under investigation. Still, he noted that investigators “are aware of the threat that is emanating from China.”
One U.S. official said the breach of data involving more than 4 million past and present federal workers was being investigated as a national security matter. That suggests authorities believe a nation was behind it rather than a more loosely organized gang of cybercriminals. The official was not authorized to discuss an ongoing investigation and spoke only on condition of anonymity.
The breach was an embarrassing showing for the U.S. government’s vaunted computer-defense system for civilian agencies — dubbed “Einstein” — which is costing $376 million this year alone. It’s supposed to detect unusual Internet traffic that might reflect hacking attempts or stolen data being transmitted outside the government.
A wide range of information is prized by spies — classified military secrets but also economic strategy and internal foreign policy debates.
This latest breach occurred in December but wasn’t discovered until April, officials say. It was made public Thursday.
“The scale of it is just staggering,” said Rep. Adam Schiff, D-Calif., top Democrat on the House Intelligence Committee. There’s no telling how many more attacks could be spawned by the information stolen in this case, he said.
Although most Americans think of identity thieves stealing from credit card or bank accounts, the information about civilian federal workers has other value for spies.
“They’re able to identify people who are in positions with access to significant national security information and can use personal data to target those individuals,” said Payne, the counterintelligence official.
He said details from personnel files could be used to craft personalized phony messages to trick workers. Federal employees who think they’re opening an email from co-workers or family members might infect their computers with a program that would steal more information or install spy software.
Spies also could use details about an employee’s interests or background to befriend them and try to manipulate them into revealing secrets.
Kevin Mitnick, a former hacker who now runs Mitnick Security Consulting of Las Vegas, called confidential details about federal employees “a gold mine.”
“What’s the weakest link in security?” Mitnick said. “The human. Now you know all about your target.”
The hackers may have made off with even more information about workers who undergo security clearance background checks. That information includes the names of family, neighbors, even old bosses and teachers, as well as reports on vices, arrests and foreign contacts.
However, OPM spokesman Samuel Schumach said there was no evidence to suggest that security clearance information collected by OPM was compromised. It’s stored separately from routine personnel files, he said.
“The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, job assignments, training files, performance ratings and current and former addresses,” Schumach said in an email.
The breach occurred at a network maintained by the Department of Interior, which also houses the personnel agency’s files. Schumach said agencies share computer systems partly to save money — and it’s also supposed to strengthen security.
Security experts said the hackers may have gone after the personnel agency because it’s an easier target than the Pentagon or National Security Agency.
Private cybersecurity researchers said they believe the personnel agency was targeted by the same hackers who got into the Anthem and Primera health insurance groups last year.
John Hultquist, head of cyberespionage intelligence at iSight, said the Dallas-based security firm had found evidence linking the insurance and government attacks, but declined to say whom they suspect. “We think they are creating a database they can leverage for follow-on espionage,” Hultquist said.
A spokesman for the Director of National Intelligence declined to discuss whether there was evidence against China or whether intelligence agency employees were among those whose information was compromised.
U.S. investigators have improved their ability to attribute cyberattacks in recent years, officials said, and Chinese attacks often have identifiable signatures.
The Homeland Security Department noted that the Einstein defenses were just one part of the government’s cybersecurity, and said it was used to confirm the breach. But that’s like a smoke alarm sounding after the house burned down.
Einstein also helped understand how the break-in happened and protect against a repeat of a similar attempt.
“It didn’t fare so well,” said James Lewis, a leading cybersecurity expert at the Center for Strategic and International Studies, a Washington think-tank. “It’s only a victory if you defeat the opponent, and we didn’t.”
Now I'm no expert on electronic security or espionage, but this seems bad. If it was the Chinese government perpetrating the hack, that would be even worse.
How did we get so thoroughly outfoxed here?
This situation is ongoing, but I looked for an espionage/counterespionage thread and couldn't find one. This seems as good an excuse as any to make one.
If you're one of the 4 million people at risk of having your data stolen, please take precautions. This whole thing just really sucks.
joshofalltrades on
0
Posts
Yeah that's sort of eyebrow-raising...
It makes me wonder how likely it is that the culprits will actually be discovered.
Unfortunately we're behind the Chinese when it comes to cyber warfare. We have been trying to catch up but there are two problems:
1. US Cyber Command, while "established" in 2009 wasn't operational until May 2010. At this point the active duty capability is not there. But because of traditional AD versus Reserve/Guard rivalry, the active duty Cyber Command does not plan to include Reserve/Guard units or personnel (This isn't 100% concrete right now, but I wouldn't be surprised if it didn't change). Right now the concentration on this topic is on the officer side; the Army doesn't even have an enlisted MOS specifically for Cyber Warfare yet.
2. Our talent pool isn't available to be employed by the government. There is no incentive for the most talented candidates with already existing knowledge and skills to enlist (especially) or apply for employment to civilian agencies.
Now we can catch up by training our currently not drug using and not super talented personnel to do the job, but that isn't going to instantaneously catch us up capability wise.
Never. As long as humans exist there will always be vulnerabilities.
It's institutional inertia.
So what you're saying is that Mallory Archer is in charge of security for the federal employee database.
I can understand how one could make the assumption that it's not some Chinese super hacker, it's just that we really are this bad at network security. It's not really a more comforting thought, though. My girlfriend is a state employee; the thought of her information in the hands of ne'er-do-wells who could really do some serious harm just because the government she trusted her information with is pretty shitty at actually securing it sucks.
Yea, if you have a base you want to guard and you need more guards, you can go recruit some guys and send them to bootcamp for a couple months and boom, you have guards.
But if you want someone to be able to guard against specialized hacking attempts from foreign powers, like, I would imagine you'd need the equivalent of a 4 year degree to even qualify for starting in the field, and the people in charge would be ideally more like PhD level with years of experience. Unlike war where you can win just by having more guys than the other side, in computer security your guys need to be better than the best guy the other side can throw at you. And the best the government can do is contract it out.
Great.
It's just fantastically hard to scale up any sort of technology work to the level required without lots of bad decisions being made. You can see it in the corporate world, too. On the other hand, maybe the other team's even worse.
The Navy and Air Force are having better success with this but both have a long history of being more concerned with the technical aspects of warfare so it wasn't much of a change. The Navy right now is actually nearly over manned last I checked. I'm told the training is pretty good though can't speak for it first hand.
They all are. The most widely used crypto library had a tiny, careless buffer overrun bug in it for years before anyone noticed, and this was sufficient to leak pretty much everything from any system using the software. That code was used all over the place and had thousands of people looking at it.
The system here that got hacked was a bespoke system used in one place and written by some incompetent federal contractor; it was certainly far worse.
There's a zillion lines of code propping up every damn thing around you and it's all pretty much garbage.
In short, security's really fucking hard, and a lot of devs either don't understand it or don't fucking care.
And people wonder why I say that paranoia isn't a mental disorder for a developer - it's a job requirement.
There are a few problems with allowing commissioned officers only into this field (when talking about needing the equivalent of a 4 year degree and talking about only the military side):
1. An officer, for example in the Army, does not need to have a degree and education in the field that they may commission in. I know more than a few officers that were commissioned through college ROTC programs and unless you are the top handful of your graduating class (relative to other ROTC cadets) you aren't likely to get your choice of branch (career field). Instead you will become needs of the Army. Now USCC was taking volunteer officers, but while volunteers might have had some interest in the topic, it's very possible that the majority saw it as a career bump and have no experience or education specific to the field.
2. The job of a commissioned officer isn't necessarily to do the mission, but the facilitate the enlisted (and warrant officers) to perform the mission, and to know just enough about each aspect of the mission to do this successfully. On top of this, officers are responsible for a lot of admin stuff that isn't mission specific.
Now having a Bachelor's doesn't necessarily mean you will get or have to take a commission. I went to intel school with a surprising amount of soldiers who enlisted with Bachelor's degrees. But they certainly weren't the norm, even in the intelligence field. The majority were 18 year old kids who were told that the field was in need of bodies and that a clearance would make them employable for the rest of their lives.
Now you can restrict this CMF to only those with Bachelor's (the only real way "qualifier" that the military could handle to differentiate between those with education/experience and those without), but you're going to cut down significantly on the pool of available bodies to enlist. This is a problem if you are trying to build up a relatively new capability as quickly as possible.
The USN and USAF also have an easier time attracting the more potentially talented enlisted personnel. No one that knows better (I didn't know better) enlists in the Army or Muhhhrrreeens.
That's the advantage of utilizing guard and reserve personnel. They likely already have the education and experience to contribute. The problem is that most active duty don't see this as an asset because reserve and guard personnel aren't doing police calls and work details five days a week every week so they aren't "real" soldiers.
I'm sure this is the same attitude for the USMC, maybe less so for the USN and USAF.
And there are functional limits on how much you can do in defense, because the goal isn't "keep everybody out" it's "keep unauthorized people out" and people need access for their day to day jobs
Yeah, to some degree network security is an almost unsolveable problem. There will always be vulnerabilities, you just need to try your hardest to hack your own systems to find them, so the other guy takes longer to find what is surely present.
On point 2, more then that I feel like the US and alot of western countries have issues in that the culture of our developer communities is more suspicious of the government then supportive of it. Can make it a hard pool of talent to draw from.
Yea, that was sort of my point, in that the military isn't really set up to staff really technical fields. You don't have soldiers designing rifles and aircraft, you contract that out to civilians. But putting civilians into positions of 'conflict' (sort of) with opposition governments is sort of unusual. I work for a military software contractor, and it's hard to imagine we'd ever even see a contract saying "go counter-hack the Chinese". The intelligence agencies surely do have some good guys on staff but I'm sure they're busy enough without the military and every other government department getting use of them as well.
Government work is also generally seen as less prestigious (the NSA has enough to scoop up quite a few of the best crypto people though) and there are other potential culture clashes, eg office wear. If I can't come in a t-shirt and shorts then I'm going to find another job
There is a cyber MOS in the army its a 35Q. They are pretty new and while I was in they were only accepting people for MOS transfers that were E5 and up.
Also, the problem isn't that there aren't people to recruit to do the job, it's just that there are almost zero incentives to do so. The pay and lifestyle basically sucks when you could do the same jobs outside of the military and get paid two or three times as much. That actually is true for most of the MI jobs in the military. Where I worked people often would get out, only to get hired as a contractor making more than double what they made in the military to WORK AT THE SAME DESK AS WHEN THEY WERE IN THE MILITARY. However if the contractor isn't working with the government those same people could just go work for a private company.
Having these databanks open to the internet instead of some sort of intranet seems short sighted as well.
I guess the last point about hackers smoking pot is another reason to legalize it?
Steam: https://steamcommunity.com/profiles/76561198004484595
1. 35Q is crypto. There is a specific 17 CMF that is being stood up.
2. I don't see how this contradicts what I stated.
3. I am also aware of this. Many of my colleagues also decided against reenlistment.
It isn't so much that the military can't handle more technical non combat arms fields, it's that going into these fields in the military is like going to a quick and dirty vocational boot camp where you also shoot guns and get yelled at. And instead of four years of study and then an internship or entry level experience, you go from 16-50 weeks of training to a job you very likely may not actually perform for the majority of the time you aren't deployed. edit: by this I mean that the military could handle these types of jobs with some adjustment. My experience was with intel though, not cyber.
I think one of the issues is with how the military does it . So long as you can PT and get a passing score on the range you can be terrible at and/or hate your MOS and still work in that field.
The US has been a willing victim for years for cyber espionage.
As it stands now crypto is cyber. The crypto people work with the non military cyber people doing the same thing in the same place. It's all done through computers now anyway.
I'm not really trying to contradict that the environment sucks or anything, just pointing out that there are capabilities being developed, which you expanded on.
It's not even just cyber. While I was at Fort Gordon on my night off (I worked mids), I went to do some laundry at like 2am and there was some Chinese dude dumpster diving. I went back to my room and told my roommate about it as he went out to smoke, and the dude drove up to the dumpster that was visible from our room and started going through it. We ended up callingthe cops and he had been driving all over base pulling out documents and electronics people had been throwing away. He said he was recycling (right...) and the MPs just let him go. Fast forward about a month and again me and my roommate are up on our night off and the same chinese dude is going through the dumpsters again, and we call the cops again, and they just escorted him off base.
Being in the intel field both of us were like WTF!? You can't have some foreign national free to just try to dig around for personal documents of your intel workers. Obviously that kind of thing is the reason why you shred papers and destroy electronics but some people don't. Anyway the point of that was that the US is a willing victim espionage in general, and the smashing a window metaphor just reminded me of the dumpster diving chinese dude.
Steam: https://steamcommunity.com/profiles/76561198004484595
Even an air-gapped network can be penetrated and compromised, as the US showed with Stuxnet and the Equation Group's various creations.
Hell, I'm pretty sure the Equation Group is why the DOD now recommends physical destruction of storage media, rather than just wiping and degaussing.
Yep. Unfortunately non intel soldiers (like MPs) think intel is useless and intel soldiers are stupid. They don't see it as a CI threat, they see it as just an annoyance to deal with before they can get off their shift.
I think the part that bugged me the most was that there were some MPs also in my unit for whatever reason and they had to go to all of the extra counter terrorism, IA, etc. things that we had to do in addition to the normal army mandated stuff. It's not like the MPs on Fort Gordon(or probably any base for that matter) do much aside from give out speeding tickets. You would kind of think that something out of the ordinary would help bring them out of the monotony. I know when I was on shift when the same thing happened every night I was doing it kind of half assed, but if something out of the ordinary popped up I was all over it trying to figure out what was up.
As far as things like USB drives, mostly the DoD doesn't even allow them, and where I worked the computers didn't even have usb ports or cd drives anyway. I would say in this case the "everyone is an idiot, and trust no one" mentality is actually pretty effective at keeping networks safe. It's often the computer illiterate old person that clicks on some sketchy email attachment and infects everything. I can't even comprehend computer illiterate people anymore, it blew my mind when there would be some meeting and people would ask who can use excel and powerpoint. Like anyone born after 1980?
Steam: https://steamcommunity.com/profiles/76561198004484595
This is actually true for pretty much everything, not just hacking.
Like, Secret Service redteams pretty much always "win" in terms of exploiting a security flaw to "kill" the president unless the blue team is given an advantage.
In more directly related news, CCDC (a college level cyber-defense contest) is basically scored by who gets fucked up by the redteam the least. It isn't possible to secure systems well enough to prevent hacking by dedicated people even before social engineering comes into play, and social engineering makes everything even harder.
I've never used a powerpoint anything, and I've been using a computer since 10th grade Apple IIc. I've only just started using excel at work in like the last year. The amount of my coworkers that can't even log onto the company education site that only requires the employee number and birthdate in DDMMYYYY is insane. I seriously have no expectation that anybody even knows the basics of computers anymore.
Agreed. Never used a thumb drive for anything work related. The only time we ever used the cd drive was to listen to music while deployed, and the cds never left the SCIF.
Other than that everything was transferred from computer to computer through the shared drive.